sqreen 1.8.1-java → 1.8.2-java
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/sqreen/condition_evaluator.rb +1 -1
- data/lib/sqreen/frameworks/generic.rb +10 -1
- data/lib/sqreen/rules_callbacks/execjs.rb +82 -1
- data/lib/sqreen/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a7d88eb10dd8c68391cac146381b6a011819cf6c
|
|
4
|
+
data.tar.gz: e965922d7adac842200919bea4861eaf291de2d9
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 496245abe34c72c16c3653033b7a8667174001de778d55d68cc7ce4f9c06f672dda656203ec4acc7b961fa96e89c8c5feed5901a75ab9ab35f11ddfa70d7bd31
|
|
7
|
+
data.tar.gz: 421564e3bebc03c43562a3713a27cec7bb8b3ec79769a2af1ddf5b7ff1b1daefe7b3f4e6cd9113e0d6e8924668750ef56dfef5abd993d4d46f9f98d70c89cce2
|
|
@@ -30,7 +30,7 @@ module Sqreen
|
|
|
30
30
|
# @params value [Object] object to find
|
|
31
31
|
# @params hash [Hash] Hash to search into
|
|
32
32
|
# @params min_value_size [Fixnum] to compare against
|
|
33
|
-
def self.hash_val_include?(value, hash, min_value_size, rem =
|
|
33
|
+
def self.hash_val_include?(value, hash, min_value_size, rem = 20)
|
|
34
34
|
return true if rem <= 0
|
|
35
35
|
vals = hash
|
|
36
36
|
vals = hash.values if hash.is_a?(Hash)
|
|
@@ -64,16 +64,25 @@ module Sqreen
|
|
|
64
64
|
|
|
65
65
|
# Sourced from rack:Request#trusted_proxy?
|
|
66
66
|
TRUSTED_PROXIES = /\A127\.0\.0\.1\Z|\A(10|172\.(1[6-9]|2[0-9]|30|31)|192\.168)\.|\A::1\Z|\Afd[0-9a-f]{2}:.+|\Alocalhost\Z|\Aunix\Z|\Aunix:/i
|
|
67
|
+
LOCALHOST = /\A127\.0\.0\.1\Z|\A::1\Z|\Alocalhost\Z|\Aunix\Z|\Aunix:/i
|
|
67
68
|
|
|
68
69
|
# What is the current client IP
|
|
69
70
|
def client_ip
|
|
70
71
|
req = request
|
|
71
72
|
return nil unless req
|
|
73
|
+
# Look for an external address being forwarded
|
|
72
74
|
forwarded = req.env['HTTP_X_FORWARDED_FOR']
|
|
73
75
|
ips = split_ip_addresses(forwarded)
|
|
74
76
|
last = ips.find { |ip| (ip !~ TRUSTED_PROXIES) && valid_ip?(ip) }
|
|
75
77
|
return last unless last.nil?
|
|
76
|
-
|
|
78
|
+
# Else fall back to declared remote addr
|
|
79
|
+
r = req.env['REMOTE_ADDR']
|
|
80
|
+
# If this is localhost get the last hop before
|
|
81
|
+
if !ips.empty? && r =~ LOCALHOST
|
|
82
|
+
last = ips.find { |ip| (ip !~ LOCALHOST) && valid_ip?(ip) }
|
|
83
|
+
return last unless last.nil?
|
|
84
|
+
end
|
|
85
|
+
r
|
|
77
86
|
end
|
|
78
87
|
|
|
79
88
|
# Get a header by name
|
|
@@ -9,7 +9,9 @@ end
|
|
|
9
9
|
|
|
10
10
|
require 'execjs'
|
|
11
11
|
|
|
12
|
+
require 'sqreen/rule_attributes'
|
|
12
13
|
require 'sqreen/rule_callback'
|
|
14
|
+
require 'sqreen/condition_evaluator'
|
|
13
15
|
require 'sqreen/binding_accessor'
|
|
14
16
|
require 'sqreen/events/remote_exception'
|
|
15
17
|
|
|
@@ -19,7 +21,8 @@ module Sqreen
|
|
|
19
21
|
class ExecJSCB < RuleCB
|
|
20
22
|
def initialize(klass, method, rule_hash)
|
|
21
23
|
super(klass, method, rule_hash)
|
|
22
|
-
callbacks = @rule[
|
|
24
|
+
callbacks = @rule[Attrs::CALLBACKS]
|
|
25
|
+
@conditions = @rule.fetch(Attrs::CONDITIONS, {})
|
|
23
26
|
|
|
24
27
|
if callbacks['pre'].nil? &&
|
|
25
28
|
callbacks['post'].nil? &&
|
|
@@ -61,6 +64,48 @@ module Sqreen
|
|
|
61
64
|
call_callback('failing', inst, args, rv)
|
|
62
65
|
end
|
|
63
66
|
|
|
67
|
+
def self.hash_val_included(needed, haystack, min_length = 8, max_depth = 20)
|
|
68
|
+
new_obj = {}
|
|
69
|
+
insert = []
|
|
70
|
+
to_do = haystack.map { |k, v| [new_obj, k, v, 0] }
|
|
71
|
+
until to_do.empty?
|
|
72
|
+
where, key, value, deepness = to_do.pop
|
|
73
|
+
safe_key = key.kind_of?(Integer) ? key : key.to_s
|
|
74
|
+
if value.is_a?(Hash) && deepness < max_depth
|
|
75
|
+
val = {}
|
|
76
|
+
insert << [where, safe_key, val]
|
|
77
|
+
to_do += value.map { |k, v| [val, k, v, deepness + 1] }
|
|
78
|
+
elsif value.is_a?(Array) && deepness < max_depth
|
|
79
|
+
val = []
|
|
80
|
+
insert << [where, safe_key, val]
|
|
81
|
+
i = -1
|
|
82
|
+
to_do += value.map { |v| [val, i += 1, v, deepness + 1] }
|
|
83
|
+
elsif deepness >= max_depth # if we are after max_depth don't try to filter
|
|
84
|
+
insert << [where, safe_key, value]
|
|
85
|
+
else
|
|
86
|
+
v = value.to_s
|
|
87
|
+
if v.size >= min_length && ConditionEvaluator.str_include?(needed.to_s, v)
|
|
88
|
+
case where
|
|
89
|
+
when Array
|
|
90
|
+
where << value
|
|
91
|
+
else
|
|
92
|
+
where[safe_key] = value
|
|
93
|
+
end
|
|
94
|
+
end
|
|
95
|
+
end
|
|
96
|
+
end
|
|
97
|
+
insert.reverse.each do |wh, ikey, ival|
|
|
98
|
+
case wh
|
|
99
|
+
when Array
|
|
100
|
+
wh << ival unless ival.empty?
|
|
101
|
+
else
|
|
102
|
+
wh[ikey] = ival unless ival.empty?
|
|
103
|
+
end
|
|
104
|
+
end
|
|
105
|
+
|
|
106
|
+
new_obj
|
|
107
|
+
end
|
|
108
|
+
|
|
64
109
|
protected
|
|
65
110
|
|
|
66
111
|
def record_and_continue?(ret)
|
|
@@ -92,6 +137,7 @@ module Sqreen
|
|
|
92
137
|
arguments = (args_override || @argument_requirements[name]).map do |accessor|
|
|
93
138
|
accessor.resolve(binding, framework, inst, args, @data, rv)
|
|
94
139
|
end
|
|
140
|
+
arguments = restrict(name, arguments) if @conditions.key?(name)
|
|
95
141
|
Sqreen.log.debug { [name, arguments].inspect }
|
|
96
142
|
ret = @compiled.call(name, *arguments)
|
|
97
143
|
unless record_and_continue?(ret)
|
|
@@ -110,6 +156,41 @@ module Sqreen
|
|
|
110
156
|
nil
|
|
111
157
|
end
|
|
112
158
|
|
|
159
|
+
def each_hash_val_include(condition, depth = 10)
|
|
160
|
+
return if depth <= 0
|
|
161
|
+
condition.each do |key, values|
|
|
162
|
+
if key == ConditionEvaluator::HASH_INC_OPERATOR
|
|
163
|
+
yield values
|
|
164
|
+
else
|
|
165
|
+
values.map do |v|
|
|
166
|
+
each_hash_val_include(v, depth - 1) { |vals| yield vals } if v.is_a?(Hash)
|
|
167
|
+
end
|
|
168
|
+
end
|
|
169
|
+
end
|
|
170
|
+
end
|
|
171
|
+
|
|
172
|
+
def restrict(cbname, arguments)
|
|
173
|
+
condition = @conditions[cbname]
|
|
174
|
+
return arguments if condition.nil? or @argument_requirements[cbname].nil?
|
|
175
|
+
|
|
176
|
+
each_hash_val_include(condition) do |needle, haystack, min_length|
|
|
177
|
+
# We could actually run the binding accessor expression here.
|
|
178
|
+
needed_idx = @argument_requirements[cbname].map(&:expression).index(needle)
|
|
179
|
+
next unless needed_idx
|
|
180
|
+
|
|
181
|
+
haystack_idx = @argument_requirements[cbname].map(&:expression).index(haystack)
|
|
182
|
+
next unless haystack_idx
|
|
183
|
+
|
|
184
|
+
arguments[haystack_idx] = ExecJSCB.hash_val_included(
|
|
185
|
+
arguments[needed_idx],
|
|
186
|
+
arguments[haystack_idx],
|
|
187
|
+
min_length.to_i
|
|
188
|
+
)
|
|
189
|
+
end
|
|
190
|
+
|
|
191
|
+
arguments
|
|
192
|
+
end
|
|
193
|
+
|
|
113
194
|
def build_accessor(reqs)
|
|
114
195
|
reqs.map do |req|
|
|
115
196
|
BindingAccessor.new(req, true)
|
data/lib/sqreen/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: sqreen
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.8.
|
|
4
|
+
version: 1.8.2
|
|
5
5
|
platform: java
|
|
6
6
|
authors:
|
|
7
7
|
- Sqreen
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-
|
|
11
|
+
date: 2017-09-25 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: execjs
|